From b1121da23711e946ed390fc4a2cdedf219a558df Mon Sep 17 00:00:00 2001
From: Khristinin Nikita <nikita.khristinin@elastic.co>
Date: Thu, 10 Feb 2022 19:30:13 +0100
Subject: [PATCH] [Rule Tuning] Fix IM query (#1767)

* Fix IM quer

* Add update date
---
 rules/cross-platform/threat_intel_filebeat8x.toml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml
index 18c9f29f0..dda36e752 100644
--- a/rules/cross-platform/threat_intel_filebeat8x.toml
+++ b/rules/cross-platform/threat_intel_filebeat8x.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/11/24"
 maturity = "production"
-updated_date = "2022/01/26"
+updated_date = "2022/02/10"
 min_stack_comments = "Threat index is ECS 1.11 compliant (8.0)."
 min_stack_version = "8.0"
 
@@ -72,7 +72,7 @@ threat_indicator_path = "threat.indicator"
 threat_language = "kuery"
 
 threat_query = '''
-@timestamp >= "now-30d/d" and event.dataset:ti_* and
+@timestamp >= "now-30d/d" and event.module:threatintel and
   (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or
      threat.indicator.registry.path:* or threat.indicator.url.full:*)
 '''
@@ -89,11 +89,11 @@ store = "appState"
 negate = false
 disabled = false
 type = "phrase"
-key = "event.dataset"
+key = "event.module"
 [rule.threat_filters.meta.params]
-query = "ti_*"
+query = "threatintel"
 [rule.threat_filters.query.match_phrase]
-"event.dataset" = "ti_*"
+"event.module" = "threatintel"
 
 [[rule.threat_filters]]
 [rule.threat_filters."$state"]